Module Tools and Troubleshooting

8/8/2019 Module Tools and Troubleshooting

1/172

Tools and Troubleshooting

Microsoft Windows XP New Hire

Microsoft Confidential Provided Under NDA


2/172


3/172

Table of Contents

Introduct ion ..................................................................................6 System Res tore..............................................................................7

What System Restore Does ....................................................................7System Restore Boundaries....................................................................9

Arch itec ture Overview ..........................................................................10 Summary........................................................................................... 12

System Restore Con figurat ion...............................................................14 Drive Frozen Due to Low Disk Space .....................................................15

System Restore Points ..........................................................................18Data not in a Restore Point ..................................................................19System Restore Timeline .....................................................................19

Using System Restore ...........................................................................22 System Restore in Safe Mode: .............................................................. 23Restoring ........................................................................................... 23

Troubleshooting System R estore ..........................................................27Functionality in Safe Mode Scenarios.....................................................29General Troubleshooting......................................................................30Resources .......................................................................................... 37

System Restore and Servi ce Pack Installa tion ......................................39 WFP/ SFC .....................................................................................41

Window s F ile Protect ion and Driver Sign ing .........................................43What is WFP ? ........................................................................................45

How WFP works .................................................................................. 45WFP Allowable Updates........................................................................ 47WFP Utilities ....................................................................................... 48WFP Configuration............................................................................... 48Windows File Protection Troubleshooting................................................49

Diagnost ic Tools .......................................................................... 53 Documentat ion Resources ....................................................................54

Help and Support ................................................................................ 54Resource Kit ....................................................................................... 55MSDN Advanced Documentation ........................................................55Windows Hardware and Driver Central...................................................55

MSConf ig ...............................................................................................57

MSInfo32 ..............................................................................................61 Event Logs ............................................................................................63

Using Event Logs for Troubleshooting....................................................63MPSReports ..........................................................................................67 Erro r Report ing .....................................................................................69 Dr. Watson ............................................................................................71 Cac ls .....................................................................................................73 Support Tool s........................................................................................76

RASDiag ............................................................................................76Windiff............................................................................................... 79

Recovery Console......................................................................... 81 Using Recovery Console ....................................................................... 82Performing Troubleshooting in Recovery Console ....................................86Recovery Console Details .....................................................................97Kernel Errors ............................................................................. 101 Why do you need to know about Kernel Mode error messages? .............. 104What is a Kernel Mode Error? ............................................................. 104Stop Messages ................................................................................. 105

Stop Error Troubleshooting .................................................................109Troubleshooting Information to Gather from Stop Messages................... 109Troubleshooting Steps ....................................................................... 109Disable Automatic Restart on System Failure........................................ 112

Speci fi c Bugcheck Codes .....................................................................114 0x0000000A: IRQL_NOT_LESS_OR_EQUAL.......................................... 114


4/172

0x0000001E: KMODE_EXCEPTION_NOT_HANDLED................................1140x0000007B: INACCESSIBLE_BOOT_DEVICE........................................1150x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED .................1150x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED.....................1160x000000C2: BAD_POOL_CALLER .......................................................116STOP: C0000135: {Unable To Locate Component}................................1160xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED .......................1170xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH..........................118

User Mode Erro rs .......................................................................121 Appl icat ion Erro rs ............................................................................... 122User Mode Errors ................................................................................123

Why do you need to know about User Mode Error messages? .................124What is a User Mode Error? ................................................................124Troubleshooting ................................................................................127

Reg istry Troubleshoot ing Techniques ........................................131 What Is the Regis try? .........................................................................132Registry Str uctu re .............................................................................. 134What Is the Regi stry Ed itor? .............................................................. 137

Registry Editor Features .....................................................................137Registry Troub leshooting Techniques ................................................. 140

Prune and Graft.................................................................................140Monitoring Registry Access .................................................................141

Registry Corruption Troubleshooting .................................................. 144Considerations ..................................................................................144Precautions.......................................................................................145 Recovery Steps .................................................................................145

Remote Ass is tance..................................................................... 153 Using Remote Assistance ................................................................... 154

Creating an invitation.........................................................................154Send the Invitation............................................................................154Using an Invitation ............................................................................156Taking Control ..................................................................................156Session Considerations.......................................................................156

Remote Desktop and Remote Assistance Compared ........................... 159Intended Purpose and Audience ..........................................................159Obtaining Access Rights .....................................................................160Initiating a Session ............................................................................160Comparing the Client Views ................................................................161Comparing the Remote Consoles .........................................................162Terminating a Remote Session ............................................................162Comparing User Control .....................................................................162Summary .........................................................................................162

Troubleshooting Remote Assistance ................................................... 164Connections......................................................................................164

Resources ........................................................................................... 168 Data Loss/ Data Recovery Discussion ......................................... 169

Before Any Troubleshooting ................................................................169Understanding where Data Loss is Possible ...........................................169Setting Expectations ..........................................................................172


5/172

Table of Figures

Figure 1: System Restore Welcome Screen............................................................................. 7Figure 2: System Restore Wizard Options ..............................................................................11Figure 3: Filter Driver Architecture........................................................................................12Figure 4: System Restore Configuration ................................................................................14Figure 5: Settings for C: drive..............................................................................................15Figure 6: Use the DCU to make more space...........................................................................15Figure 7: Registry keys .......................................................................................................18Figure 8: System Restore timeline ........................................................................................19Figure 9: Filelist.xml ...........................................................................................................20Figure 10: Accessing System Restore through MSconfig ..........................................................22Figure 11: Accessing System Restore through MSinfo32..........................................................23Figure 12: System Restore Wizard........................................................................................24Figure 13: SRDiag ..............................................................................................................27Figure 14: Successful file restoration logged ..........................................................................45Figure 15: Prompt for CD ....................................................................................................46Figure 16: Event cancelled...................................................................................................46Figure 17: Unsigned drivers.................................................................................................46Figure 18: Run Sigverif .......................................................................................................50Figure 19: Unsigned drivers listed by sigverif .........................................................................51Figure 20: System Configuration Utility .................................................................................57Figure 21 Looking for Errors later than Event ID 6005 ..........................................................64Figure 22 Event Log Error .................................................................................................65Figure 23 Error Reporting .................................................................................................69Figure 24: Windiff...............................................................................................................79Figure 25 Press R to Start Recovery Console .......................................................................83Figure 26 Select Installation..............................................................................................83Figure 27 Logon and Command Prompt ..............................................................................84Figure 28 Fixboot.............................................................................................................88Figure 29 Fixboot.............................................................................................................89Figure 30 FixMBR.............................................................................................................90Figure 31 Diskpart ...........................................................................................................94Figure 32 Diskpart ...........................................................................................................96Figure 33. Kernel Mode Error (Stop Error) ...........................................................................101Figure 34. Startup and Recovery Settings............................................................................103Figure 35 Kernel Mode Error - Stop Error........................................................................... 106Figure 36. User Mode Error................................................................................................123Figure 37 - Error Reporting Dialog Box................................................................................125Figure 38 Error Details Dialog box....................................................................................126Figure 39 Hives in Regedit ..............................................................................................134Figure 40 Keys in Regedit ...............................................................................................135Figure 41 Regmon Output...............................................................................................142Figure 42 System Volume Information Security .................................................................148Figure 43: Select how you want to contact the helper ...........................................................155Figure 44: Start a Help Session ..........................................................................................156Figure 45: Remote Desktop client view ...............................................................................161Figure 46: Remote Assistance client view ............................................................................ 161Figure 47: Novice is behind a NAT ......................................................................................165Figure 48: UPnP NAT.........................................................................................................165


6/172

Tools and Troubleshooting Introduction

6 Microsoft Partner

Introduction

Module Objectives:

Discuss:

System Restore WFP/SFC Diagnostic Tools RC Kernel Errors User Errors Registry Tshoot Techniques Remote Assistance.


7/172

System Restore Tools and Troubleshooting

Microsoft Partner 7

System Restore

If users experience system failure or another significant problem, they canuse System Restore from Safe Mode or Normal Mode to go back to a previoussystem state, restoring optimal system functionality. System Restore actively

monitors system file changes and some application file changes in real time torecord or store previous versions before the changes occurred. Restore Pointscontain a snapshot of the registry, and may contain key system files that

have been changed. Restore Points are created at the time of significant

system events (such as application or driver install) and periodically (every 10hours of session time or 24 hours of calendar time.). Additionally, users cancreate and name their own Restore Points at any time. This allows the user to

roll back the state of the system to a previous time when everything wasworking.

Figure 1: System Restore Welcome Screen

What System Restore Does

System Restore monitors key application and system files during installation

of new programs or new driver files thus keeping the version information of

the system files in the restore point. It also creates a snapshot of the restoreregistry keys, HKey local machine and HKey user, and works in conjunction

with the Windows File Protection to record and store the versions of the

system files that were on the system when the snapshot was created. SystemRestore is supported in Safe Mode and normal mode. The only differencebetween restoring in Safe Mode and in normal mode is that in Safe Mode it

does not create an Undo Restore Point. By contrast, Normal mode creates an

Undo Restore Point, and has the ability in to revert from a failed restore, or toUndo the restoration.


8/172

Tools and Troubleshooting System Restore

8 Microsoft Partner

The design of System Restore is such that the user never needs to explicitly

take manual snapshots; the backup is done silently in the background.

Windows XP provides meaningful Restore Points that correspond to majorsystem change events, (e.g. application installation). When a problem occurs,users can roll back their system to a point in time immediately before a

restore point (e.g. before application XYZ was installed and machine issues

began).

Twenty-four-hour real-time or ten-hour session time Restore Points coverthose system events which are not tracked. System Restore does NOTmonitor user data (i.e. anything in My Documents or known extensions such

as .doc, .xls, .mdb, .pst, etc.). This prevents the user from losing data when a

restore is performed.

System Restore actively monitors and records changes to a select group of

system and application files specified in an include list. These file copies arelogged, compressed and stored locally in a protected directory, or dataarchive. For every restore point created, System Restore takes a full registry

snapshot. These registry snapshots are also logged and stored within the

data-archive.

When a customer needs to revert his/her PC to a time before a destructivechange occurred, the System Restore UI presents a restore point catalog

which displays the restore options for a selected day.

Restore Points can take the following forms:

Periodic (called system checkpoints) Application installs with friendly names

Manually created, user-named Restore Points

Restore operation providing undo capabilitiesOnce the user selects a restore point, System Restore creates a restore mapand conducts the restore by specifying:

The ultimate file operations necessary to revert the system to itsselected point

The identification of the original registry to replaceNote:

A user can set which drives System Restore will monitor on its PropertiesPage, however, it is not possible to disable SR on the System Drive and leaveit on non-system drives. The list of excluded and included files (SFP) is in

%windir%\System32\Restore\filelist.xml.

The combination of a wizard-like step-by-step restore UI with meaningfulrestore point choices is intuitive and non-intimidating to enable even the most

novice customers to undo system changes without assistance.


9/172


Microsoft Partner 9

Note:

System Restore does not back up data and so cannot be used to perform a

backup for purposes of protecting data.

Note:

System Restore can be used to revert Windows XP to before the installation of

Service Pack 1 (SP1). This may cause PPPoE to break in Windows XPnetworking as described in Q320558.

Note:When performing troubleshooting in Windows XP, it is often necessary to

perform a Clean Boot with all services disabled using the MSConfig Utility.

When this is done, the System Restore Service is also switched off, removingall saved Restore Points. Consider trying System Restore to solve the issue

prior to disabling the service or do a Clean Boot leaving the System Restore

Service running.

System Restore Boundaries

System Restore is meant to be a system stability recovery tool. It has many

limitations that make its use for other tasks undesirable. For instance, SystemRestore does not monitor or restore contents of redirected folders. System

Restore does not monitor any settings associated with roaming user profiles.IE Specific items such as cookies, favorites, and the browser history will not

be restored. In addition, System Restore is not an uninstall utility. Forapplications, if you create a System Restore snapshot, install four applications

on your system, and then want to use the System Restore to simply remove

one of the applications; that is not possible. If you do a rollback to a previoussystem state you get a complete snapshot of the system before the fourprograms were installed.

System Restore is not designed to Backup or Restore personal data. Many ofthe common data types used on the PC are not covered by System Restore.This means that if you have one version of a word document, then restore to

a time two weeks prior to that, you still have the same version of the Worddocument on the system. System Restore is not meant to be a replacementfor a full backup because only incremental changes to the operating system

and application files (not personal data) are saved. A complete or ASR backup

and restore is required to recover from problems that cause your system tobecome unbootable.

Last, System Restore is not a virus protection program. The data archive no

longer restricts access to virus utilities. This means that Anti-Virus programs

can now check the contents of the System Restore .CAB files for infected files.But the bottom line is System Restore should not be relied upon to fix viruses.It is possible to restore to a previous point and a virus still be on the system.


10/172


10 Microsoft Partner

Architecture Overview

To track and copy files before changes, System Restore uses a file system

filter driver that is at the kernel level (called Kernel Mode). This kernel levelfilter driver monitors file system operations, and, for select file types and

operations, quickly interrupts an operation (for example, DELETE FILE) andcopies or moves the original file before the operation is complete. The file

changes are entered into a log, and the file copies and logs are stored in anarchive on the drive or partition where the original file resided. Change-basedfile copying happens once per specific file per system session or for any given

Restore Point.

The list of files or operations that the filter driver will take note of are known

as Interesting operations, and include creation, deletion and modification ofsystem files. Any of the physical attribute changes or renames of the system

file and any of the ACL changes that are made on the System Restore or the

system files are also interesting operations. The System Restore filter driverintercepts all of the special calls or operations that are made by the Windows

32 file system. It logs all the changes to a change log and renames or copiesthe file to a data store. After this process is logged the operation is passed on

through to the NTFS or file system and allowedthat isthe changes that arebeing requested are allowed on the file.

The System Restore Wizard is provided to the user so that a simple interfacecan be used to roll back the system. The wizard interface contains the optionsto restore the computer back to a previous point, create a new restore point,

or undo a previous restore.


11/172


Microsoft Partner 11

Figure 2: System Restore W izard Options


12/172



Figure 3: Filter Driver Architecture

Figure 3 shows the architecture of the System Restore filter driver. In StepOne, the Windows 32 file system makes a call or takes an action on one of

the protected system files. In Step Two, the systems Restore Filter Driver

intercepts the call and then makes a change-log entry and copies the file tothe data store on the restore point. In Step Four, the call goes through to the

system file either NTFS of FAT. It copies the files on first write and handles

files open for exclusive access.

SummarySystem Restore is a real-time-change monitor-and-restore feature in

Windows XP. It uses a Filter Driver architecture to track changes to thesystem, and provides a simple User Interface to the user for restoring and

creating Restore Points. System Restore automatically creates Restore Pointsand also allows the manual creation of Restore Points. The Restore Points

themselves allow the user to restore the system to a previous point in time,restore access to the system, and return the system to a stable state.


13/172




14/172



System Restore Configuration

This section covers the configuration of System Restore as well as status

indicators and storage management. System Restore is configured on theSystem Restore Tab of the System Properties dialog box. Access it via Control

Panel > System > System Restore Tab.

Figure 4: System Restore Configuration

The first option on the System Restore tab is to turn System Restore on or offfor all drives. Select this option if you do not want to use System Restore.Turn off System Restore for each drive individually by selecting the drive and

clicking the Settings button.


15/172



Select the drive that you want to modify and click the Settings button to

change how much space is allotted on each drive for System Restore.

Figure 5: Settings for C: drive

Move the slider to modify how much space is available for saving restore

points. Disk Space Thresholds start at Min = 200 MB for a system disk or 50MB for other disks and Max out at 12%. The default is the larger of 400 MB or

12%. When the space is filled, Restore Points are deleted on a FIFO (first infirst out) basis: at 90% max FIFO to 75% to create space for new restore

points. At a Low Disk notification (50 MB), all restore points-freeze.

Figure 6: Use the DCU to make more space

Drive Frozen Due to Low Disk Space

Users see a Single Partition SR Frozen (suspended) view due to low disk

space if SR has been frozen due to low disk space. They can still turn off SR(whether they clean up space or not) but they cannot change the data store

size. There is a link directly to the Disk Clean up utility from this screen toclean up space in order for SR to automatically resume (if desired).

Users see a Non System Drive setting view if a non system drive is

suspended. In this view, the non system drive selected has been frozen orsuspended. There is a link to DCU from this dialog as well, and the data store

slider appears grayed out until SR has resumed functioning (once at least 200MB of space is created).


16/172



When the Multiple Drives suspended (frozen) view appears, all the drives are

suspended or out of disk space so they are frozen. The disk cleanup link in

the case of multiple partitions will be on the setting dialog for each drive. Thesettings button will not be active for any non-system drive (but appeargrayed out) until the System Drive is monitoring.

All drives will be suspended or frozen if the system drive is first. When usersclose the Settings dialog after DCU on C, all other drives will now show

Monitoring as their status


17/172




18/172



System Restore Points

A Restore Point is a snapshot of system files and registry settings. It is

created either automatically or manually before key changes are made toallow users to choose previous system states. File Compression is enabled

only on NTFS. The data is stored in Folder Path :\SystemVolume Information; the Globally Unique Identifier (GUID) information is

stored in MachineGUID.TXT. The data in a Restore Point includes:

Registry settings Profiles (local onlyroaming user profiles not impacted by restore) COM+ Database (DB) WFP cache WMI DB Internet Information Server (IIS) Metabase Files with extensions listed in the portion of the Monitored

File Extensions list in the System Restore section of the PlatformSoftware Development Kit (SDK)

Note:The Restore Point folder and file are super hidden files. Customers may need

to change the view options in Windows Explorer in order to see the RestorePoint.

Figure 7: Registry keys


19/172



Data not in a Restore Point

Since information in a restore point is either the system registry files or a keyapplication and system files, neither user-created data files nor user profilesettings nor contents of redirected folders are placed in a restore point. Other

key things that are not stored in a restore point are the Digital Rights

Manager or Windows Media Rights Manager or Windows media rightsmanager information which keeps track of a license's stateexpiration date,number of plays allowedby creating a signed hash of the license file and

storing it in a registry key. It also keeps key license information in file formatin the Documents and Settings\All Users\DRM directory. Restore points alsowill not store anything about the security account manager or SAM hives

(does not restore passwords) or any Windows product activation settings.

Directories or files listed as in the filelist.xml are excluded, as areany files with an extension not listed as in the filelist.xml file.Items listed in both Filesnottobackup and KeysnottoRestore (hklm->system-

>controlset001->control->backuprestore->filesnottobackup andkeysnottorestore) are not restored.

System Restore Timeline

Look at the following timeline to see how System Restore works.

Figure 8: System Restore timeline

TimeT T

Office 2K

Installed

T

Evil App

installed

T

System

Checkpoin

T

Restore system

to before Evil App

was installed

Actions

Machine State

Office 2K Office 2K

Evil A

Office 2K

Evil App

Changesbetween T2& T3

Office 2K


20/172



Figure 9: Filelist.xml


21/172




22/172



Using System Restore

There are three common ways to start the System Restore user interface.

Start it directly by clicking on the shortcut icon In the Start menu by choosing All Programs > Accessories > System

Tools

Clicking the System Restore iconThe name of the executable file is RSTRUI.exe and its located on the systemdrive in the Windows system 32 restore subdirectory.

The indirect ways to run the system restore user interface include running

MSCONFIG.exe, MSINFO32, and the Help and Support user interface. Afterrunning these three, select System Restore from the list of tasks that can be

run from each of these programs.

Figure 10: Accessing System Restore through MSconfig


23/172



Figure 11: Accessing System Restore throu gh MSinfo32

The last way to be prompted to run the System Restore user interface iswhen booting into Safe Mode. Booting into Safe Mode for the first time

automatically generates a dialog box that asks if you want to run the System

Restore user interface to recover a previously created snapshot of SystemRestore.

System Restore in Safe Mode:

In Safe Mode, you can restore to any point, but you cannot create a restorepoint (even a restore point associated with a restore itself). If you choose torestore to a previous restore point in Safe Mode, there will be no Undo

operation for it since that would require creating a restore point for thatrestore operation to be undone. Some points to remember about SR in SafeMode:

If FirstRun key is set and you boot into Safe Mode, Windows will notinitialize SR.

If the FIFO condition is met, it will work as in protect mode. Freeze and Thaw should happen similar to protect mode (except no

restore point is created for a Thaw).

File changes are monitored and recorded in Safe Mode as in protectmode.

There is no option to boot from a Emergency Boot Disk and undo arestoration. Users will have to work with the Recovery Console (F8) anduse the Last Known Good functionality to get back on the GUI and goback to the previous state.

Restoring

In the System Restore wizard interface there are three major choices:

The user can create a restore point.


24/172



The user can also restore to roll back system changes of the registry,key system or application files. Also note that the Recovery Console

which would be used to repair a damaged installation of Windows XPdoes not tie into the System Restore restore points and cannot be usedin that way.

A user can undo a restoration. Undoing can simply roll back or use aprevious snap shot of the system state to roll back system changes thathave rendered the system unusable.

Figure 12: System Restore W izard

Some useful things to know about System Restore:

It creates a restore point when a point is restored to allow the undo ofthe restore.

It can restore a system to a state closer to when the problem started -versus ship image.

It causes minimal impact on performance and disk space cost. It just works: no interaction is necessary until the user needs to

restore.

There is no user data lossrestoring the system will not cause you toloose changes to personal data files.

It is automatic & easy for the consumer user, while flexible & powerfulenough for advanced users & administrators.


25/172


26/172




27/172


28/172


29/172



Functionality in Safe Mode Scenarios

Listed are six System Restore scenarios that customers experience whentrying to troubleshoot System Restore failures.

System Restore does not record changes in compression nor does itundo them. This is because changes in compression do not cause the

system to fail.

System Restore does not replace all files of a removed program. Forexample, if an application is installed on Microsoft Windows XP and

SR takes a system snapshot. At some point later that application isuninstalled but the user attempts to roll the system back to the state

where the application was installed. While the registry settings and

some of the files may be restored to the application, not necessarily allof the files will be restored. If the application does not work correctly,then the application files should be reinstalled from the original media.

System Restore and auto restore points for unsigned drivers. When auser creates an automatic or when an automatic restore point is created

for an unsigned driver install, all that is listed in the user interface forSystem Restore is unsigned driver installation. The name of the driver

is not listed. The behavior is by design.

How System Restore handles password restores. In Windows XP andMicrosoft Internet Explorer the passwords are not restored to

prevent rolling back to an older password that a user has forgotten.

However, application passwords and domain passwords are restored.

System Restore is suspended on the system drive although there isenough free space available. The situation that occurs here is that onone of the non-system drives theres less than 15 mega bytes of free

disk space available. To get the System Restore to enable the user must

either disable it on the drive with less than 15 mega bytes or free up atleast 200 mega bytes on a drive so that the suspend mode will cease.

System Restore and restore points are missing or deleted. There arefive cases where restore points can become deleted.

If there is an out of disk space condition. If the System Restore is turned off on a drive. If you upgrade to a new operating system. If you run the disk clean up utility. When 90% of the maximum space is taken up in which case the

System Restore algorithm will free up enough space to get to 75%free.


30/172


31/172



SR is not Add/Remove Programs

The first potential issue with System Restore is a misconception regarding thefunctions of the SR and Add/Remove Programs features.

System Restore removes only files with monitored extensions, such as .ini,.exe and .dll. Restoring to a point before an application was installed leaves

behind stray files that unmonitored, which may lead to confusion as to whythe application was removed but some of its files were left behind.

This will typically affect home users, but can impact some businesses and is

of low impact. Various error messages may be received depending on theapplication. Most will involve the inability to launch the application or missingfiles, dll, etc.

Symptoms

Application files and directories left behind

Only monitored extensions are removed (.ini, .exe, .dll)

Possible error message regarding the unsuccessful launch of the application

Impact

Low

Home users

If System Restore is used to remove a program instead of Add/RemovePrograms, after the Restore, some files related to the program/application

may remain. Users should always try to use Add/Remove Program utility to

uninstall an application and not System Restore.

Similarly, removing a program and then Restoring the system to a point priorto the installation of that program will not restore all of the files of that

program. Some files may be restored, but error messages related to that

program may result. User can then reinstall the application.

Steps to resolve this issue involve the following:

Users will have to find out what files related to the application are still on the

system and manually delete them.

Users will have to undo the Restoration.

Users will have to use the Add/Remove Programs to uninstall/installapplications and not SR.

Users will have to reinstall the application and then use the Add/RemovePrograms to remove it and its files.

For more information, please see Q286143 - The System Restore Utility Does

Not Replace All the Files of Removed Programs.


32/172



Cause

Application was removed by using System Restore to restore the system to apoint where the program was not installed on the system yet.

Resolution

Manually delete applications files remaining on the system.

Undo the restoration.

Use Add/Remove Programs to uninstall/install applications.

Reinstall the application and then use the Add/Remove Programs to remove itand its files.

Information

Q286143 - The System Restore Utility Does Not Replace All the Files of

Removed Programs.

Q293388 - HTML Files with .htm Suffixes and Shortcuts Are Displayed on theStart Menu After a Restore Operation.

Space not Reserved for SR

Another possible issue involves the Hard Disk space that the System Restores

data store uses to save Restore Points. Users may believe that the space

allocated to the System Restore data store is not dynamic. In fact, theallocated Hard Drive space for System Restore is used as needed and is not areserved block of space.

The impact is low and this issue will typically affect home users and

businesses. There are no error messages related to this issue. The resolution

to this issue is to explain how System Restore uses the data store space.

Symptoms

No error message

Users may believe space allocated to SR data store is not dynamic

Allocated Hard Drive space for SR is used as needed and is not a reservedblock of space

Impact

Low; Home users.

User education is the best action to take.

Users may be informed that the data store size is not a reserved space and itis used on demand and always calculated as effective size. For example, if the

data store size was configured to 500MB, of which 200MB has already beenused and the current free hard disk space is only 150MB, then the effectivesize is 200+150=350MB, not 500MB. In another words, the data store size is

always limited by the available free hard disk space.


33/172



It is important to note that if disk space utilization encroaches on the data

store size, with non monitored files for example, System Restore's data store

size will always yield to the system.

To access the data store, right click on My Computer, choose Properties, clickon the Restore Tab, choose a drive you want to see the data store and then

click on settings. Move the slider to max or min to adjust the data store size.

Information

Q300044 System Restore and Disk Space.

Cause

Misconception.

Resolution

User education.

Data store size is not a reserved space.

Its used on demand.

Its always calculated as effective size.

Information


Q301224 System Restore: Restore Points are Missing or Deleted.

SR Freezes with Low Disk Space

Another potential support issue encountered with System Restore relates tolow disk space. When there is insufficient disk space System Restore can

suspend itself, affecting monitoring on all drives. These issues can beencountered by anyone.

The System Restore Tab in the System Properties dialog box may indicate

that System Restore has been suspended across the entire system due toinsufficient free disk space on that drive. Attempts to launch System Restore

will generate an error message:System Restore is suspended because there is not enough disk space

available on the system drive (drive letter). To restart System Restore,

ensure at least 200MBs of free disk space are available on this drive. Do

you want to start Disk Cleanup to free more disk space now?

Yes No

Symptoms

SR suspended; Error message.

Impact

High; All users.


34/172



Suspension of System Restore can occur if the disk space on any monitored

drive falls below 50 MB and an interesting event such as the creation,

deletion, or modification of a system file occurs on the drive.

To resolve this, users must free up at least 200MB of disk space on thepartition/drive that is causing System Restore to suspend or turn System

Restore off on that drive. System Restore can be disabled by clicking on theSystem Restore Tab on the System Properties dialog box.

It is important to note that if the drive that is low on disk space is the systemdrive and System Restore is turned off, it will be disabled on ALL drives.

Information

Q299904 - System Restore Suspended on System Drive Although EnoughSpace.

Cause

Insufficient free disk space (less than 50 MB) when an interesting event

occurs.

Resolution

Free up 200MB disk space or disable SR.

If SR is disabled on system drive it will be disabled on all drives.

Information

Q299904 System Restore Suspended on System Drive Although EnoughSpace.


Q301224 System Restore: Restore Points are Missing or Deleted.

Downloaded Files Lost after Restore

The last support issue predicted for System Restore involves downloadedfiles. After performing a restore, users might find that downloaded files orapplications with certain extensions are missing. These issues could be

encountered by any user.

Users may lose downloaded files or files with monitored extensions (such as.exe, .ini, .dll) if they are saved on directories other than the System

Restores protected directories, such as My Documents or DownloadedProgram Files or to a partition that has System Restore turned off. Forexample, if Susan downloads download.exe from her email into

c:MyComputer\SusanFiles instead of My Documents, she will be unable tolocate her program there after performing a restore.

Although no error message is associated with this issue, users may not beable to find the files they need.


35/172


36/172


37/172



Case Study 4

Jane just used System Restore to remove Application X that she downloaded

from the web. Now she is confused because the application is gone, but shestill can still find some folders related to the application under C:\ProgramFiles. What might be causing this issue? What options does Jane have for

resolution? What KB article can be referenced?

Answer

System Restore should not be used to remove an application unless the usercannot do it via Control Panel > Add/Remove Programs. It might leaveunmonitored files and directories behind which will have to be cleaned

manually.

KB Article: The System Restore Utility Does Not Replace All the Files ofRemoved Programs (286143)

Resolution

Jane has 4 options. She can manually delete applications files remaining on

the system, undo the restoration then Use Add/Remove Programs to uninstallApplication X, use Add/Remove Programs to uninstall Application X, or

reinstall the application and then use the Add/Remove Programs to remove itand its files.

Resources

Information on System Restore and Password Restoration(Q295050) Non-administrator user is unable to start System Restore utility

(Q283252)

System Restore Tool Displays a Blank Calendar in Windows XP(Q313853)

The System Restore service does not work correctly (Q841568)


38/172


39/172



System Restore and Service Pack Installation

One of the things to note with the installation of SP2 is that a restore point is

created when SP2 is installed. This restore point, however, is not a typicalrestore point. This specific restore point is a very robust restore point and will

be significantly larger than the restore points that are generated whencreated by an application install (for example, Office creates a restore point

during installation) or by manually creating a restore point. If it is necessaryto use a restore point after the installation of a Service Pack, only thosecreated with the install of the SP or those created after should be used.


40/172


41/172

WFP / SFC Tools and Troubleshooting


WFP/SFC

A common issue with Windows has been the ability for shared system files tobe overwritten by other programs, causing unpredictable systemperformance. Windows File Protection (WFP) and Driver Signing prevent the

replacement of certain system files, providing the user with more stability.

Objectives

Describe the capabilities of Windows File Protection. List the 5 processes that can be used to update protected system files. Describe the interaction between Windows File Protection and Driver

Signing.

Explain the 4 unattended installation setup file switches and what theydo.


42/172

Tools and Troubleshooting WFP / SFC



43/172


44/172




45/172



What is WFP?

In some previous versions of Windows, changes made to shared system files

would often cause unpredictable system performance, ranging fromapplication errors to operating system crashes. This problem usually affects

dynamic link libraries (DLLs) and executable files (EXEs).

Windows File Protection is a Windows XP technology that detects changes toprotected system files and restores them to the correct version. This prevents

DLL duplication and conflicts. Windows File Protection is either Automatic (ifthe file is located in the cache), or the user can be prompted for the Windows

XP CD for the proper files. In addition, WFP has a number of utilities to checkWFP issues.

How WFP works

WFP runs in the background on a Windows XP system detecting when a file

replacement is attempted on a protected system file.

First, the list of protected system files is monitored for changes. When achange is detected to a protected file, WFP determines whether the original

file resides in the dllcache folder. If it does, the incorrect version isautomatically replaced and the replacement attempt is noted in the system

event log.

Figure 14: Successful file restoration logged


46/172


47/172



Microsoft Installer (MSI)

If a Microsoft Installer package needs to have a protected file installed, the

Microsoft Installer (or MSI) will detect that the requested file is protected andrequest for WFP to install the correct file version. Once WFP locates thenecessary file, it installs the file and returns success to MSI. If the file is not

located, WFP will return failure to MSI, which often times will cause MSI to

rollback the installation. (An MSI rollback will uninstall any files and settingscreated by the MSI package up to that point.).

WFP Allowable Updates

There are four top Windows File Protection scenarios. Two of these scenarios,

application installation and ad-hoc file replacement, are examples ofsituations where system files will be protected by Windows File Protection.

The other two situations are service pack installations and hot fixinstallations. These are examples of allowed system file updates. Replacement

of protected system files will be supported via the following mechanisms:

Windows XP Service Pack installation (UPDATE.EXE) Windows XP hot fixes installed via HOTFIX.EXE Operating system upgrade (WINNT32.EXE) Windows Update Windows XP Device Manager/Class Installer

Note

WFP protects files, but it does not block write access to %systemroot% andits sub-directories. Protected files updated by any other means will result in

the replacement of unauthorized files by Windows File Protection.

Application Installation

The first scenario is the case of an application installation. There are twocases where an application can cause system files to be replaced, removed or

overwritten. The first is during the initial application installation; some

applications replace a protected system file with an older version thancurrently installed. The second case is when an application uninstall deletes aprotected system file. In both of these cases Windows File Protection will

automatically restore the replaced system file.

Service Pack Installation

The second scenario is the case of the service pack installation. Windows File

Protection allows for protected system files to be updated when using theupdate.exe program during a service pack installation. What this means isthat the service pack installations may copy newer files of protected system

files during installation and that they may remove files during an uninstall of aservice pack.


48/172



Replacing protected files by other means than those above will result in the

unauthorized files being replaced by Windows File Protection.

Hot Fix Installation

The third scenario is the case of a hot fix installation. Just like a service packinstallation, Windows File Protection allows for the updating of protected

system files using the hotfix.exe program. What this means is that hot fixinstallations may copy newer versions of protected system files during

installation and then they may also remove files during an uninstall of a hotfix.

Ad-Hoc File Replacements

The final scenario is the case of ad-hoc file replacements. An ad-hoc file

replacement is when a user either deletes or renames a protected operatingsystem file. As a general rule all SYS, DLL, EXE and OCX files that ship on the

Windows XP CD ROM are protected. Any user attempt to modify or deletethese files will result in the Windows File Protection replacing the incorrect

version.

WFP Utili ties

The three key utilities in looking at WFP issues are the Signature VerificationTool, or Sigverif.exe, the Sigverif.txt file, and System file checker. Each ofthese utilities can be used to help check WFP issues.

The Signature Verification tool (SIGVERIF.EXE) identifies unsigned files on acomputer. Using the Signature Verification log (SIGVERIF.TXT), it creates a

log of all signed and unsigned drivers. System File Checker (SFC.EXE) scanssystem files to verify/restore correct versions.

WFP Configuration

The default settings for WFP can be configured through unattended setup

parameters.

The [SystemFileProtection] section of the unattended setup information filecontains parameters for the Windows File Protection service. If this section is

missing or empty, Setup will install Windows File Protection using defaultvalues.


49/172



Windows File Protection Troubleshooting

Windows File Protection (WFP) prevents the replacement of certain monitoredsystem files. This section, discusses how to troubleshoot WFP using System

File Checker (SFC) and Signature Verification (sigverif) and some

troubleshooting considerations.

System File Checker (SFC)

A command-line utility called System File Checker (SFC.EXE) will allow an

Administrator to scan all protected files to verify their versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET][/PURGECACHE] [/CACHESIZE=x]

Table 1 : SFC.EXE Swit ches

SFC.EXE Switch Function Per formed

/SCANNOW Scans all protected system files immediately.

/SCANONCE Scans all protected system files once.

/SCANBOOT Scans all protected system files every time the

system is restarted.

/CANCEL Cancels all pending scans of protected system files.

/QUIET Replaces all incorrect file versions without

prompting the user.

/ENABLE Enables Windows File Protection for normal

operation.

/PURGECACHE Purges the Windows File Protection file cache and

scans all protected system files immediately.

/CACHESIZE=x Sets the size of the Windows File Protection file

cache.

System File Checker will also check and repopulate the%systemroot%\system32\dllcache directory. In the event the dllcachedirectory becomes corrupted or unusable, SFC /SCANNOW, /SCANONCE

/SCANBOOT or /PURGECACHE can be used to fix the contents of the dllcache

directory.


50/172



Signature Verification

Another useful troubleshooting tool for Windows File Protection is the File

Signature Verification Tool, or Sigverif.exe. You can use the Sigverif.exe toolto identify unsigned drivers on a computer running Windows XP.

SIGVERIF.EXE tool supports the following command-line option to run the

default scan without user interaction:sigverif.exe / defsca

Figure 18: Run Sigverif

When you use this command, a Sigverif.txt log file is created, which containsthe following information:

The file's name The file's location The file's modification date The file type The file's version number


51/172


52/172



If a file change is detected by WFP and the affected file in use by the

operating system is not the correct version and/or the file is not cached in the

dllcache directory, WFP will attempt to locate installation media by itself. Ifthat search fails, WFP will prompt the user to insert the appropriate media toreplace the file and/or dllcache.

Ensure that you have access to install sources for protected system files incase you are prompted for them.

Summary

In this section we discussed the various troubleshooting tools and

considerations for Windows File Protection.

The troubleshooting tools are System File Checker, File Signature Verification

tool, and the Event view to view system logs. Some considerations include

cleaning out the dllcache to resolve cache issues, ensuring that you haveaccess to install sources for protected system files in case you are prompted

for them, and disabling windows file protection either by booting in to Safe

Mode or using the registry.


53/172


54/172

Tools and Troubleshooting Diagnostic Tools


Documentation Resources

Solid product documentation is one of the most powerful tools you can use

when troubleshooting. The Knowledge Base is the most used single resourcefor troubleshooting, but unfortunately other depth sources can be difficult to

find. Below are the key documentation sources you can use to dig deeper intothe Operating System.

Help and Suppor t

Location: Help and Support on the Start menu.

Windows help content is better than ever in Windows XP, and it should be oneof the first places you search when seeking information on a productcomponent. Because of the new Search functionality provided by Help and

Support, when you search in the Help interface, you are also searching thepublic Knowledge Base and Resource Kit documentation.

The results of your search on a released operating system are always public

security, and thus can be sent to customers to aid them in tasks that mayrequire a detailed explanation.

Help and Support Tools

In addition to documentation resources, Help and Support provides a varietyof tools to gather information about the computer, perform diagnostic tasks,

and walk through troubleshooting recommendations.

Network Diagnostics is one example of a tool in Help and Support. This

interface provides an automated method for troubleshooting TCP/IP

connectivity and name resolution issues. With this interface you will see asimple pass/fail indication for the various tests performed so that you can

walk a customer through those results, rather than typing a great deal oftroubleshooting commands to gather the same information.

Tests performed include:

Ping the local IP address Ping the default gateway Ping the DNS server Test connection to mail servers

This is just a short list of the tests performed. The results can provide a greatdeal of information on the network.

Note that the Network Diagnostics interface does not attempt to ping or

connect to other computers in the home network. As a result it is more

appropriate for Internet connectivity and name resolution testing than FileShare issues.


55/172


56/172




57/172

Diagnostic Tools Tools and Troubleshooting


MSConfig

MSConfig.exe is a tool for standard troubleshooting in Windows XP that

provides access to the configuration for normal or diagnostic startup, theability to expand files, access System Restore, edit Win.ini and System.ini

configurations, modify your Boot.ini options, configure the startup forServices, and also disable startup applications.

You will use MSConfig primarily when you can start the computer in Safe

Mode, but normal mode fails. In these cases, you can use MSConfig toeliminate applications and Services from starting. You can also use it when

startup is not configured the way that you would like it to be. For example, ifyou need a specific Boot.ini option, but the person you are working with is

uncomfortable with editing the Boot.ini directly. In these cases, you can addswitches simply by clicking an option in this tool.

Figure 20: System Configuration Utility

The general use of MSConfig is to do additional troubleshooting if a Safe Mode

startup functions properly, but normal startup fails. It can help eliminate

applications, Services, and System.ini, or Win.ini options from being loadedduring startup or application initialization to allow further troubleshooting.One startup configuration that is not provided in MSConfig is for devices.

Access to device drivers at startup is not available because the system uses

Device Manager to configure, disable, and uninstall devices.


58/172



Considerations

The primary consideration when using MSConfig is that it is not a solutionit

is a troubleshooting tool. You can use MSConfig to determine the cause of theissue, but you will use other tools to make a permanent fix. To helpcustomers understand this, MSConfig provides a startup message to tell you

that you are in a diagnostic startup mode. Do not run in this diagnostic

startup mode for regular use; use other troubleshooting tools in order toprovide the permanent solution.

For example, a customer calls because he is receiving an error at boot. Using

MSConfig to narrow down the scope of your search, you discover that a third

party application is causing the error. MSConfig gives you the run key to thisone Registry value; you then use Regedit to remove or modify this value so

that it works properly. Or, you may need to reinstall the application or evenuninstall it until an update is available. Editing the registry and uninstalling

the application cannot be done with MSConfig because MSConfig is adiagnostic tool. Once you diagnose the problem, you can choose the proper

tool to fix.


59/172




60/172




61/172



MSInfo32

The Microsoft System Information tool (msinfo32.exe or winmsd.exe) uses

WMI to provide comprehensive system information. The output from this toolcan be saved to a .NFO file, which is viewed in the System Information

interface. Useful support information includes:

System Summary includes OS Version, BIOS Version/Date, WindowsDirectory, Boot Device, User Name, Time Zone, Total and Available memory,Total and Available virtual memory, Page File location and free space.

Hardware Resources DMA, I/O Port addresses, IRQs and Memory ranges usedby devices on the system.

Component Information For each device in the system MSInfo32 identifies theType, Status, Driver in use, PnP Device ID, and other device class-specific

information such as Transfer rate, INF used to install the driver, and others.

Storage Information Drives in the system, Capacity, File System, DiskController information.

Currently Installed Drivers With driver name, path, driver type, state, startupmode.

Signed Driver report Environment Variables Loaded Modules Lists all currently loaded modules with their version, size,

date, manufacturer and path.

Services Identifies the name, state, startup mode, path, error control andaccount name.

Startup Programs including path and startup location. Windows Error Reporting History Internet Settings Office Application configuration data

MSInfo32 provides a good general snapshot of the system configuration thatcan be useful for data gathering when diagnosing issues on a system.

Systeminfo.exe is a new command line tool that makes a subset of this

information available from a command prompt. This can be useful for generaldata gathering on a machine, either local or remote. Significant informationincludes:

Operating System Version System manufacturer and model information Page File sixe, available space and location(s) Hotfixes installed Network adapters, with IP configuration

This is a compact set of key system parameters that can be useful when

performing data gathering to investigate an issue.


62/172


63/172


64/172


65/172



When you find error messages, double-click the event in the log and view the

details, as shown below.

Figure 22 Event Log Error

Use the content of those messages to further troubleshoot the issue.Searching the Knowledge Base and the Internet can provide information tohelp resolve the problem.


66/172




67/172


68/172


69/172



Error Reporting

Error Reporting in Windows XP is the mechanism that sends error details to

Microsoft for aggregation and analysis. When receiving an error, you arepresented with the interface shown below, with options to Send Error

Report or Dont Send.

Figure 23 Error Reporting

Sending the error report uploads error details for analysis. When an issuetrend appears, the internal Microsoft team that works with these errors can

then investigate further.

If you are encountering an error with a clear resolution, the results of these

investigations are provided after sending the report.

When working with customers experiencing application errors or system faults

(bluescreen errors), recommend that they upload one or more error reports.

If content is available they will be directed to a web page providing moreinformation.


70/172




71/172



Dr. Watson

Dr. Watson generates an error log when an application is terminated

unexpectedly. Dr. Watson for Windows is an error debugging program thatgathers information about your computer when a program generates error (or

user-mode fault). By default, the log file created by Dr. Watson is namedDrwrsn32.log and is saved in the following location: \Documents and

Settings\All Users\Application Data\Microsoft\Dr Watson

For additional information on the Dr. Watson for Windows Tool, please refer to

the following articleKB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool(308538)

Note: If the customer is unable to note the error message because it

disappears too quickly or computer shuts down immediately after the fault, it

is essential to gather the Drwrsn32.log. The error message will be registeredin this log.

Here is an example of how Drwrsn32.log can be a useful for troubleshooting.

Scenario

A customer calls in reporting that his/her computer crashed while browsing

websites. However, user was unable to gather the error details.

Dr Watson Details

Drwrsn32.log file includes the following entry, which helps isolate the

application experiencing the problem:

Application exception occurred:

App: C:\Program Files\Real\RealOne Player\RealPlay.exe (pid=1624)

When: 7/7/2002 @ 12:42:27.524

Exception number: c0000005 (access violation)


72/172




73/172



Cacls

Cacls.exe displays or modifies discretionary access control list (DACL) for files

and folders on NTFS volumes. For diagnostic work, cacls is useful in its abilityto output the ACLs applied to an object, as well as for command line ACL

modifications.

UsageCACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]

[/P user:perm [...]] [/D user [...]]

filename Displays ACLs.

/T Changes ACLs of specified files in

the current directory and all subdirectories.

/E Edit ACL instead of replacing it.

/C Continue on access denied errors.

/G user:perm Grant specified user access rights.

Perm can be: R Read

W WriteC Change (write)

F Full control

/R user Revoke specified user's access rights (only valid with

/E).

/P user:perm Replace specified user's access rights.

Perm can be: N None

R Read

W Write

C Change (write)

F Full control

/D user Deny specified user access.

Wildcards can be used to specify more that one file in a command.

You can specify more than one user in a command.

Abbreviations:

CI - Container Inherit.

The ACE will be inherited by directories.

OI - Object Inherit.

The ACE will be inherited by files.

IO - Inherit Only.

The ACE does not apply to the current file/directory.

Note: The/ E switch is particularly important to understand. By default, cacls

replaces the ACL of the specified object. This can be destructive when you

simply want to grant one user or group access to an object that already has a

complex ACL. If you use/ E you will simply add an entry, rather than creatinga new ACL.

Sample Commands

The first example displays the current ACL for the D:\data folder on the

server:

Cacls D:\ data


74/172



The following command grants the user abeebe Change rights to the file

D:\Data\File.xls:

Cacls D:\ data\ file.xls / e / g abeebe:C

To remove a user or group from the ACL, use the/ R switch as shown below:

Cacls D:\ data / R mycorp\ salesgroup


75/172




76/172



Support Tools

The Support Tools are a set of troubleshooting tools that are provided on both

the Windows XP Home Edition and Professional CDs. For information on theindividual Support Tools, see the online help and Readme.htm located in the

Support Tools folder. The Support Tools in Windows XP are provided foradvanced diagnostics and troubleshooting.

Tools Included

The Support Tools contains a wide variety of diagnostic, troubleshooting and

administration tools. Some highlights include the Application CompatibilityToolkit; the Dependency Walker (Depends.exe), which provides informationabout file dependencies for any WIN32 executable or DLL; NetCap.exe, which

is a command line network monitor capture utility; Poolmon.exe, the memory

pool monitor; SPcheck.exe, the Service pack check utility; and XCACLS, whichdisplays access control lists (ACLs) for files and folders. For more information

on each tool, consult the syntax guide using the /? switch.

Installation

You can install the Support Tools using Setup.exe located in the\Support\Tools directory on the Windows XP CD-ROM. By default, the tools

are installed to your \Program Files\Support Tools directory, but you canchange this destination using the Custom installation option. In total, the

installation takes about 8 MB of disk space.

RASDiag

Location: RASDiag is included in the Windows XP Support Tools.

This is an advanced tool that collects diagnostic information about dial-up,VPN and PPPoE connections and places that information in a file. Customerscan use this tool to work with Product Support Services to troubleshoot

remote connection issues by taking a snapshot of the configuration data and

capturing an attempted remote connection.

Note:

Because RASDiag is a data collection tool, it is only useful when the customer

has a way of sending you the resulting data file. The data file also requires

analysis, so this is not a tool that is useful while on a live call with aConsumer customer.


77/172


78/172



Contents of C:\WINDOWS\TRACING\RASIPCP.LOG Contents of C:\WINDOWS\TRACING\RASIPHLP.LOG Contents of C:\WINDOWS\TRACING\RASNBFCP.LOG Contents of C:\WINDOWS\TRACING\RASPAP.LOG Contents of C:\WINDOWS\TRACING\RASTLS.LOG Contents of C:\WINDOWS\TRACING\Router.LOG Contents of Connection Manager Logs Contents of C:\WINDOWS\ModemLog*.TXT Contents of C:\WINDOWS\DEBUG\oakley.log IP Configuration for each interface (IPConfig /all) Routing Table (Netstat r) Ethernet Statistics (Netstat e) IP, TCP and UDP Statistics (Netstat s) Active connections (Netstat) Contents of System and User PBK Last 10 events from the Security log

Process information (PIDs and a list of Services loaded in each process)Because it provides such a wide variety of logging, and captures networktraffic on all local interfaces, RASDiag is a key tool for troubleshooting remoteconnectivity.


79/172



Windiff

Windiff.exe is a tool that has been around for a long time and is included inthe Support Tools. Its designed to highlight the differences between two files

based on a line by line comparison. It is particularly useful for comparing

.REG files and output from command line tools such as sc queryex type= allstate= all to identify differences.

The following example shows Windiff results of a comparison between SC.EXEoutput from two different machines. The first change identified is the state of

the Windows Audio Service.

Figure 24: Windiff

The results in Expanded view display common contents with a white

background. Entries that are in the Left side file (the first file opened) but notthe Right side file are displayed with a Red background. Entries that are in

the Right hand file but not the Left hand file are displayed with a Yellow

background.

With that information we can interpret the results above to mean that theWindows Audio service is running on the machine from which Std_SC.txt wascaptured, but stopped on the Ent_SC.txt machine.

Windiff is most useful for the following type of comparison:

Compare exported registry branch from working machine and brokenmachine.


80/172


81/172

Recovery Console Tools and Troubleshooting


Recovery Console

Recovery Consoles purpose is for repairing installations that will no longerboot into Windows XP normally or with Safe Mode. You can boot into theRecovery Console to attempt to make modifications that will allow Windows

XP to boot normally. This is not designed as a Data Recovery mechanism.Safe Mode is the preferable way of accessing Windows XP but there are somesituations where access to Windows XP may not occur even with Safe Mode.

Under these situations use the Recovery Console.

When you use the Windows Recovery Console, you can obtain limited access

to the NTFS file system, FAT, and FAT32 volumes without starting theWindows graphical user interface (GUI). In the Windows Recovery Console,

you can:

Use, copy, rename, or replace operating system files and folders. Enable or disable service or device startup the next time that start your

computer.

Repair the file system boot sector or the Master Boot Record (MBR). Create and format partitions on drives.

Note Only an administrator can obtain access to the Windows Recovery

Console so that unauthorized users cannot use any NTFS volume.

Secure Access

Recovery Console requires an Administrator password before accessing the

hard drives unless no valid Windows NT based OS is found. In the past, you

selected the Administrator password when Recovery Console was installed,and the password did not automatically update when it was changed in the

GUI, nor could it be changed from within Recovery Console. This problem has

been corrected. The Administrator password for Recovery Console nowupdates automatically when changed from within Windows XP.

Limited Access to the Drive

To further alleviate security concerns, once the administrator is logged on to

the system they do not have full access to the drive and are not allowed to

copy files from the drives to removable media.

By default, users only have access to the \Windows directory for the

installation to which you are logged on, as well as the root directory of thedrive, removable media, and the Recovery Console source either on the CD

or the \cmdcons directory if it is installed on the hard drive.

Removable media access is read-only by default. Policy settings are available,which can modify the behavior of removable and local drive access rules.


82/172

Tools and Troubleshooting Recovery Console


For more information, please refer to the following article.KB Article: How to add more power to Recovery Console by using Group

Policy in Windows XP Professional (310497)

Note: This article is only applicable to Windows XP Professional as thefunctionality of Group Policy is NOT available in Home Edition.

Recovery Console vs. Safe Mode

Safe Mode is the preferable way to do repairs to the system; however, therewill be occasions when none of the Safe Mode options will allow access to the

system. This can be on systems with NTFS drives as the system and bootvolumes, where a critical device driver has been removed, overwritten, orcorrupted and needs to be replaced before the system will boot.

Using Recovery Console

To use Recovery Console, you should be familiar with the process for startingRecovery Console, logging on to an installation, and performing key

troubleshooting actions.

Note: this document does not present complete coverage of all commands inRecovery Console. Rather, the focus is on the most common troubleshooting

actions performed. For information on all commands available in Recovery

Console, see the following article:KB Article: Description of the Windows XP Recovery Console (314058)

Starting Recovery Console

Recovery Console can be started three ways:

From the Windows XP CD From the Boot Floppies If it is installed on the hard drive, it can be selected from the boot menu

at start up.

From the CD-ROM

Boot to the CD-ROM. Press a key when you see the message to Press any

key to boot from CD. If this message does not appear, the BIOS boot ordermay need to be changed.


83/172



The next screen offers the option to Repair or Install. You can press ENTER to

set up Windows XP or you can press R to start Recovery Console.

Figure 25 P ress R to Start Recovery Console

The above step should not be confused with the Repair installation step. To

run a Repair installation you would press ENTER at the above prompt, andthen press R to run Repair.

Recovery Console starts by listing Windows installations found on the drivesavailable on the computer. This list will not include Windows 95/98/Me. Selectan installation by entering the number listed to the left as shown below.

Figure 26 Select Installation


84/172


85/172



While you cannot walk a customer through the process of configuringthe BIOS boot order, you can indicate to them what kind of setting they

can look for. This setting is typically listed as Boot Device, BootPriority, Boot Order, or similar text. The customer should set the CD-ROM device as first in the boot order.

IMPORTANT: It is important to set the customers expectations thatyou cannot guide them through this process, and that they perform

these steps at their own risk.Risks include: misconfiguration of the hard disk settings resulting in no

ability to access the drive, and other boot failures. While unlikely, dataloss is also a remote possibility.

If you are not able to boot the computer from a Windows XP CD, an

alternative is to download the files to create Setup Boot Disks.

From the boot Floppies

If you are unable to configure the computer to boot from the Windows XP CD,

you can use information in the following article to download the Setup Bootfloppy disk images as an alternative:KB Article: How to obtain Windows XP Setup boot disks (310994)